github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-19 09:16:29 +00:00
Code Issues Projects Releases Wiki Activity

pkg/sysctl: Prevent ebpf privilege escalation

Browse Source 
On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf
programs to access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat
until it is fixed upstream.

See:
- https://lwn.net/Articles/742170
- https://lwn.net/Articles/742169

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This commit is contained in:
Rolf Neugebauer 2017-12-25 15:32:57 +01:00
parent a7e7a39f89
commit 720fb219ce
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
View File

@ -26,3 +26,6 @@ kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Prevent ebpf privilege escalation
# see: https://lwn.net/Articles/742170
kernel.unprivileged_bpf_disabled=1